program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r5=>0x0})
sendmsg$NL80211_CMD_CONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r4, 0x5, 0x70bd25, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f0000000040)=@device_b, &(0x7f0000000280)=ANY=[@ANYBLOB="50000000080211000001ffffffffffff0802110000000000000000000000000064000100000602020202020201010b"], 0x48)
nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0)
syz_80211_inject_frame(&(0x7f0000000200)=@device_b, &(0x7f00000021c0)=ANY=[@ANYBLOB="b00000000802110000010802110000000802110000001000000002"], 0x1e)
syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000440)=ANY=[@ANYBLOB="10000000080211000001080211000000080211000000200004a000000c0001"], 0x3c)
r6 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080), 0x189001, 0x0)
ioctl$SNDCTL_SEQ_GETINCOUNT(r6, 0x80045105, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f0000000240)={'wlan1\x00', <r8=>0x0})
syz_genetlink_get_family_id$nl80211(&(0x7f0000000380), 0xffffffffffffffff)
r9 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r9, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f00000000c0)=@newtaction={0xc0, 0x30, 0xffff, 0x0, 0x0, {}, [{0xac, 0x1, [@m_police={0x6c, 0x1, 0x0, 0x0, {{0xb}, {0x40, 0x2, 0x0, 0x1, [[@TCA_POLICE_TBF={0x17, 0x1, {0x0, 0x0, 0x0, 0x0, 0x0, {}, {}, 0x0, 0x0, 0x4}}]]}, {0x4}, {0xc}, {0xc}}}, @m_gact={0x3c, 0x2, 0x0, 0x0, {{0x9}, {0x10, 0x2, 0x0, 0x1, [@TCA_GACT_PROB={0xc, 0x3, {0x0, 0x1098, 0xffffffffffffffff}}]}, {0x4}, {0xc, 0x3}, {0xc}}}]}]}, 0xc0}}, 0x0)
sendmsg$NL80211_CMD_TDLS_MGMT(r7, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000440)={&(0x7f0000000500)={0x5c, r1, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_STATUS_CODE={0x6}, @NL80211_ATTR_MAC={0xa, 0x6, @broadcast}, @NL80211_ATTR_TDLS_ACTION={0x5, 0x88, 0x2}, @NL80211_ATTR_IE={0x1b, 0x2a, [@rann={0x7e, 0x15, {{0x1, 0x1e}, 0x14, 0x0, @device_a, 0xe, 0x7, 0xb2}}]}, @NL80211_ATTR_TDLS_DIALOG_TOKEN={0x5}]}, 0x5c}, 0x1, 0x0, 0x0, 0x20000000}, 0x0)
close(r3)

[   80.098145][ T4665] Bluetooth: hci0: command tx timeout
[   80.101865][ T1309] ieee802154 phy0 wpan0: encryption failed: -22
[   80.104253][ T1309] ieee802154 phy1 wpan1: encryption failed: -22
[   80.210705][ T5326] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   80.251377][ T5323] wlan1: No basic rates, using min rate instead
[   80.255663][ T5323] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01)
[   80.259942][ T5323] wlan1: send auth to 08:02:11:00:00:00 (try 1/3)
[   80.265206][   T27] wlan1: authenticated
[   80.266944][ T5323] wlan1: associating to AP 08:02:11:00:00:00 with corrupt probe response
[   80.270589][ T5326] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   80.274667][   T27] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0xa004 status=0 aid=12)
[   80.277515][   T27] wlan1: No basic rates, using min rate instead
[   80.281853][ T5326] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   80.285463][   T27] wlan1: associated
[   80.291849][ T5326] netlink: 'syz.0.0': attribute type 3 has an invalid length.
[   80.294904][ T5326] netlink: 36 bytes leftover after parsing attributes in process `syz.0.0'.
[   80.300813][ T5326] ------------[ cut here ]------------
[   80.302645][ T5326] WARNING: CPU: 0 PID: 5326 at net/mac80211/tdls.c:611 ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   80.306496][ T5326] Modules linked in:
[   80.307987][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.14.0-rc1-syzkaller-00034-g92514ef226f5 #0
[   80.311871][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   80.315834][ T5326] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   80.318403][ T5326] Code: f5 ff ff e8 06 49 3d f6 90 0f 0b 90 4c 8b 7c 24 10 e9 7e fe ff ff e8 f3 48 3d f6 90 0f 0b 90 e9 70 fe ff ff e8 e5 48 3d f6 90 <0f> 0b 90 e9 62 fe ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c c7
[   80.325881][ T5326] RSP: 0018:ffffc9000d3df0c0 EFLAGS: 00010287
[   80.328300][ T5326] RAX: ffffffff8b82153b RBX: ffff8880530e8d80 RCX: 0000000000100000
[   80.331519][ T5326] RDX: ffffc9000e8aa000 RSI: 00000000000002da RDI: 00000000000002db
[   80.334887][ T5326] RBP: ffffc9000d3df260 R08: ffffffff901b5177 R09: 1ffffffff2036a2e
[   80.338587][ T5326] R10: dffffc0000000000 R11: fffffbfff2036a2f R12: dffffc0000000000
[   80.342012][ T5326] R13: 0000000000000017 R14: 0000000000000000 R15: ffff88805275d640
[   80.345555][ T5326] FS:  00007f8e67e296c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   80.349392][ T5326] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   80.352524][ T5326] CR2: 00007f8e67cd7d60 CR3: 0000000053256000 CR4: 0000000000352ef0
[   80.355644][ T5326] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   80.358846][ T5326] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   80.362106][ T5326] Call Trace:
[   80.363513][ T5326]  <TASK>
[   80.364695][ T5326]  ? __warn+0x165/0x4d0
[   80.366330][ T5326]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   80.369037][ T5326]  ? report_bug+0x2b3/0x500
[   80.370876][ T5326]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   80.373431][ T5326]  ? handle_bug+0x60/0x90
[   80.375268][ T5326]  ? exc_invalid_op+0x1a/0x50
[   80.376972][ T5326]  ? asm_exc_invalid_op+0x1a/0x20
[   80.378992][ T5326]  ? ieee80211_tdls_build_mgmt_packet_data+0x329b/0x4080
[   80.381489][ T5326]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   80.384023][ T5326]  ? rcu_is_watching+0x15/0xb0
[   80.385990][ T5326]  ? ieee80211_tdls_build_mgmt_packet_data+0xe6/0x4080
[   80.388830][ T5326]  ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10
[   80.391716][ T5326]  ? rcu_read_unlock_special+0x497/0x570
[   80.393953][ T5326]  ? __pfx_lock_release+0x10/0x10
[   80.396027][ T5326]  ? __pfx_rcu_read_unlock_special+0x10/0x10
[   80.398290][ T5326]  ? __pfx_lock_release+0x10/0x10
[   80.400328][ T5326]  ? sta_info_get+0x50/0x2b0
[   80.401999][ T5326]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   80.404296][ T5326]  ieee80211_tdls_prep_mgmt_packet+0x3b6/0x860
[   80.406740][ T5326]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   80.409141][ T5326]  ieee80211_tdls_mgmt+0x8cf/0x10a0
[   80.411036][ T5326]  nl80211_tdls_mgmt+0x4d8/0x770
[   80.412888][ T5326]  genl_rcv_msg+0xb14/0xec0
[   80.414597][ T5326]  ? __pfx_genl_rcv_msg+0x10/0x10
[   80.416591][ T5326]  ? __pfx_lock_acquire+0x10/0x10
[   80.418526][ T5326]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   80.420597][ T5326]  ? __pfx_nl80211_tdls_mgmt+0x10/0x10
[   80.422318][ T5326]  ? __pfx_nl80211_post_doit+0x10/0x10
[   80.424170][ T5326]  ? __pfx___might_resched+0x10/0x10
[   80.425984][ T5326]  netlink_rcv_skb+0x1e3/0x430
[   80.427764][ T5326]  ? __pfx_genl_rcv_msg+0x10/0x10
[   80.429630][ T5326]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   80.431614][ T5326]  ? __netlink_deliver_tap+0x7aa/0x7f0
[   80.433648][ T5326]  genl_rcv+0x28/0x40
[   80.435243][ T5326]  netlink_unicast+0x7f6/0x990
[   80.437430][ T5326]  ? __pfx_netlink_unicast+0x10/0x10
[   80.439719][ T5326]  ? __virt_addr_valid+0x45f/0x530
[   80.441906][ T5326]  ? __phys_addr_symbol+0x2f/0x70
[   80.443818][ T5326]  ? __check_object_size+0x47a/0x730
[   80.445870][ T5326]  netlink_sendmsg+0x8e4/0xcb0
[   80.447704][ T5326]  ? __pfx_netlink_sendmsg+0x10/0x10
[   80.449728][ T5326]  ? aa_sock_msg_perm+0x91/0x160
[   80.451692][ T5326]  ? __pfx_netlink_sendmsg+0x10/0x10
[   80.453720][ T5326]  __sock_sendmsg+0x221/0x270
[   80.455523][ T5326]  ____sys_sendmsg+0x52a/0x7e0
[   80.457361][ T5326]  ? __pfx_____sys_sendmsg+0x10/0x10
[   80.459388][ T5326]  ? __fget_files+0x2a/0x410
[   80.461145][ T5326]  ? __fget_files+0x2a/0x410
[   80.463079][ T5326]  __sys_sendmsg+0x269/0x350
[   80.465047][ T5326]  ? __pfx___sys_sendmsg+0x10/0x10
[   80.467211][ T5326]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   80.469767][ T5326]  ? do_syscall_64+0x100/0x230
[   80.471608][ T5326]  ? do_syscall_64+0xb6/0x230
[   80.473405][ T5326]  do_syscall_64+0xf3/0x230
[   80.475027][ T5326]  ? clear_bhb_loop+0x35/0x90
[   80.476660][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.478599][ T5326] RIP: 0033:0x7f8e66f8cde9
[   80.480371][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   80.486686][ T5326] RSP: 002b:00007f8e67e29038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   80.489823][ T5326] RAX: ffffffffffffffda RBX: 00007f8e671a5fa0 RCX: 00007f8e66f8cde9
[   80.492660][ T5326] RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000006
[   80.495796][ T5326] RBP: 00007f8e6700e2a0 R08: 0000000000000000 R09: 0000000000000000
[   80.498602][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   80.501254][ T5326] R13: 0000000000000000 R14: 00007f8e671a5fa0 R15: 00007fff4183aaf8
[   80.503825][ T5326]  </TASK>
[   80.504863][ T5326] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   80.507463][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.14.0-rc1-syzkaller-00034-g92514ef226f5 #0
[   80.511136][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   80.515187][ T5326] Call Trace:
[   80.516578][ T5326]  <TASK>
[   80.517757][ T5326]  dump_stack_lvl+0x241/0x360
[   80.519764][ T5326]  ? __pfx_dump_stack_lvl+0x10/0x10
[   80.521765][ T5326]  ? __pfx__printk+0x10/0x10
[   80.523617][ T5326]  ? _printk+0xd5/0x120
[   80.525284][ T5326]  ? __init_begin+0x41000/0x41000
[   80.527165][ T5326]  ? vscnprintf+0x5d/0x90
[   80.528818][ T5326]  panic+0x349/0x880
[   80.530349][ T5326]  ? __warn+0x174/0x4d0
[   80.532017][ T5326]  ? __pfx_panic+0x10/0x10
[   80.533611][ T5326]  __warn+0x344/0x4d0
[   80.535185][ T5326]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   80.537622][ T5326]  report_bug+0x2b3/0x500
[   80.539191][ T5326]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   80.541655][ T5326]  handle_bug+0x60/0x90
[   80.543231][ T5326]  exc_invalid_op+0x1a/0x50
[   80.544952][ T5326]  asm_exc_invalid_op+0x1a/0x20
[   80.546810][ T5326] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   80.549664][ T5326] Code: f5 ff ff e8 06 49 3d f6 90 0f 0b 90 4c 8b 7c 24 10 e9 7e fe ff ff e8 f3 48 3d f6 90 0f 0b 90 e9 70 fe ff ff e8 e5 48 3d f6 90 <0f> 0b 90 e9 62 fe ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c c7
[   80.556594][ T5326] RSP: 0018:ffffc9000d3df0c0 EFLAGS: 00010287
[   80.558882][ T5326] RAX: ffffffff8b82153b RBX: ffff8880530e8d80 RCX: 0000000000100000
[   80.561796][ T5326] RDX: ffffc9000e8aa000 RSI: 00000000000002da RDI: 00000000000002db
[   80.564656][ T5326] RBP: ffffc9000d3df260 R08: ffffffff901b5177 R09: 1ffffffff2036a2e
[   80.567482][ T5326] R10: dffffc0000000000 R11: fffffbfff2036a2f R12: dffffc0000000000
[   80.570471][ T5326] R13: 0000000000000017 R14: 0000000000000000 R15: ffff88805275d640
[   80.573429][ T5326]  ? ieee80211_tdls_build_mgmt_packet_data+0x329b/0x4080
[   80.576104][ T5326]  ? rcu_is_watching+0x15/0xb0
[   80.577961][ T5326]  ? ieee80211_tdls_build_mgmt_packet_data+0xe6/0x4080
[   80.580556][ T5326]  ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10
[   80.583320][ T5326]  ? rcu_read_unlock_special+0x497/0x570
[   80.585329][ T5326]  ? __pfx_lock_release+0x10/0x10
[   80.586795][ T5326]  ? __pfx_rcu_read_unlock_special+0x10/0x10
[   80.588802][ T5326]  ? __pfx_lock_release+0x10/0x10
[   80.590670][ T5326]  ? sta_info_get+0x50/0x2b0
[   80.592299][ T5326]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   80.594433][ T5326]  ieee80211_tdls_prep_mgmt_packet+0x3b6/0x860
[   80.596474][ T5326]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   80.598616][ T5326]  ieee80211_tdls_mgmt+0x8cf/0x10a0
[   80.600451][ T5326]  nl80211_tdls_mgmt+0x4d8/0x770
[   80.602162][ T5326]  genl_rcv_msg+0xb14/0xec0
[   80.603992][ T5326]  ? __pfx_genl_rcv_msg+0x10/0x10
[   80.605935][ T5326]  ? __pfx_lock_acquire+0x10/0x10
[   80.607890][ T5326]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   80.609929][ T5326]  ? __pfx_nl80211_tdls_mgmt+0x10/0x10
[   80.612074][ T5326]  ? __pfx_nl80211_post_doit+0x10/0x10
[   80.614199][ T5326]  ? __pfx___might_resched+0x10/0x10
[   80.616277][ T5326]  netlink_rcv_skb+0x1e3/0x430
[   80.618097][ T5326]  ? __pfx_genl_rcv_msg+0x10/0x10
[   80.619956][ T5326]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   80.621839][ T5326]  ? __netlink_deliver_tap+0x7aa/0x7f0
[   80.623970][ T5326]  genl_rcv+0x28/0x40
[   80.625498][ T5326]  netlink_unicast+0x7f6/0x990
[   80.627383][ T5326]  ? __pfx_netlink_unicast+0x10/0x10
[   80.629256][ T5326]  ? __virt_addr_valid+0x45f/0x530
[   80.631164][ T5326]  ? __phys_addr_symbol+0x2f/0x70
[   80.633161][ T5326]  ? __check_object_size+0x47a/0x730
[   80.634954][ T5326]  netlink_sendmsg+0x8e4/0xcb0
[   80.636562][ T5326]  ? __pfx_netlink_sendmsg+0x10/0x10
[   80.638128][ T5326]  ? aa_sock_msg_perm+0x91/0x160
[   80.639963][ T5326]  ? __pfx_netlink_sendmsg+0x10/0x10
[   80.641757][ T5326]  __sock_sendmsg+0x221/0x270
[   80.643507][ T5326]  ____sys_sendmsg+0x52a/0x7e0
[   80.645059][ T5326]  ? __pfx_____sys_sendmsg+0x10/0x10
[   80.646595][ T5326]  ? __fget_files+0x2a/0x410
[   80.648095][ T5326]  ? __fget_files+0x2a/0x410
[   80.649993][ T5326]  __sys_sendmsg+0x269/0x350
[   80.651857][ T5326]  ? __pfx___sys_sendmsg+0x10/0x10
[   80.653901][ T5326]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   80.656338][ T5326]  ? do_syscall_64+0x100/0x230
[   80.658065][ T5326]  ? do_syscall_64+0xb6/0x230
[   80.659514][ T5326]  do_syscall_64+0xf3/0x230
[   80.660831][ T5326]  ? clear_bhb_loop+0x35/0x90
[   80.662482][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.664740][ T5326] RIP: 0033:0x7f8e66f8cde9
[   80.666483][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   80.673559][ T5326] RSP: 002b:00007f8e67e29038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   80.676850][ T5326] RAX: ffffffffffffffda RBX: 00007f8e671a5fa0 RCX: 00007f8e66f8cde9
[   80.679909][ T5326] RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000006
[   80.682867][ T5326] RBP: 00007f8e6700e2a0 R08: 0000000000000000 R09: 0000000000000000
[   80.685846][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   80.688789][ T5326] R13: 0000000000000000 R14: 00007f8e671a5fa0 R15: 00007fff4183aaf8
[   80.691929][ T5326]  </TASK>
[   80.693372][ T5326] Kernel Offset: disabled
[   80.694892][ T5326] Rebooting in 86400 seconds..